“ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.

ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care. It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.

ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral ...”

Scope and purpose

An extract from the introduction further explains the purpose:

“This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC 27002. Specifically, this International Standard addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information must be protected to ensure patient safety, and an important component of that protection is ensuring that the information’s entire life cycle be fully auditable. The availability of health information is also critical to effective healthcare delivery. Health informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial-of-service attacks. Protecting the confidentiality, integrity and availability of health information therefore requires health-sector-specific expertise ... It is not intended to supplant ISO/IEC 27002 or ISO/IEC 27001. Rather, it is a complement to these more generic standards ... Annex A describes the general threats to health information. Annex B briefly describes other standards that can be applied to specific aspects of health information security. Annex C discusses the advantages of support tools as an aid to implementation.”

Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analyzing gaps and establishing an Information Security Management Forum would apply to many organizations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002. Even governance merits a few mentions.

Status of the standard

The standard was first published in 2008.

The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and 27002, was published in 2016.

It has been proposed to bring this standard formally into ISO27k as a sector-specific standard under SC 27. A study period is currently developing a justification and outline specification for a ‘sector-specific’ ISO27k standard for healthcare.

Personal comments

This standard was developed and published by ISO technical committee TC215 responsible for health informatics, rather than JTC1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way.

Turf wars aside, it is curious that the TC215 seems to have worked in parallel on this, rather than collaborating with the SC 27 team working on 27002. Maybe they approached the editors of 27002 but were spurned? Perhaps it didn’t occur to them to collaborate. Perhaps they felt 27002 is perfectly self-explanatory, and they were ideally placed to put the health industry spin on it. I have no idea.

The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom such as (from section 6.4.1.1):

“In theory, ISO/IEC 27002 can be applied to whole organizations. However, experience from implementations in the UK and elsewhere has shown that very large units struggle to complete the work involved and to deliver the necessary level of compliance in one attempt. Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. For this reason, primary care practices, clinics, home visit teams, hospital specialties and directorates, etc., all make effective scopes. An incremental and iterative process is thus typically followed to achieve total coverage and full benefit. The prospects for achieving such results ought not to be undermined by the selection of an overly broad compliance scope. However, where third-party providers of IT services are employed, “Management of IT Services Delivery” has been widely adopted as a scope for compliance, with considerable success. In health organizations, as elsewhere, activity in recent years has successfully moved information security from being a technical or “back-office” function to being a prominent corporate responsibility. In healthcare, the extensive interdependency of functions makes scope definition a challenge. For this reason, it is all the more important to get it right.”

As you can see, the style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!

The 2016 version continues in the vein of helping users interpret and apply ISO/IEC 27002 in the context of a medical organization.